Craig Ozancin said:
>=================================
>Candidate: CAN-1999-0352
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990721
>Assigned: 19990607
>Category: SF
>Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
>Possible/32) enterprise management software
>Reference: XF:controlit-passwd-encrypt
>
>ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
>encryption.
>
>VOTE: Recast
>
>Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
>weak encryption.
>
>=================================
>Candidate: CAN-1999-0356
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990721
>Assigned: 19990607
>Category: SF
>Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
>Possible/32) enterprise management software
>Reference: XF:controlit-bookfile-access
>
>ControlIT v4.5 and earlier uses weak encryption to store
>usernames and passwords in an address book.
>
>VOTE: Recast
>
Assuming the CVE vulnerability definition isn't adapted to exclude
these candidates in the first place, I agree that these should be
merged. According to the ISS advisory, the same encryption strategy
is used in both cases; it's the encryption algorithm that's the
vulnerability, not the fact that it's used in a number of different
functional areas.
I consider this situation to be equivalent to a bug in a library or
DLL - the vulnerability is in the library, not in all the different
executables that use it.
- Steve